SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Mailman Vendors:   GNU [multiple authors]
(Debian Issues Revised Fix) Mailman List Software Input Validation Flaw in 'email' Variable Allows Remote Users to Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1009164
SecurityTracker URL:  http://securitytracker.com/id/1009164
CVE Reference:   CVE-2003-0038   (Links to External Site)
Date:  Feb 22 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.1
Description:   An input validation vulnerability was reported in the Mailman mailing list distribution software. A remote user can conduct cross-site scripting attacks against Mailman users and administrators.

It is reported that the 'email' variable on the web interface is not properly filtered to remove HTML code from user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Mailman web interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

https://[target]:443/mailman/options/yourlist?
language=en&email=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>

It is also reported that the default error page does not properly filter user-supplied input. A demonstration exploit URL is provided:

https://[target]:443//mailman/options/yourlist?
language=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Mailmain software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   Debian has released a fix. Debian reports that while fixing these vulnerabilities for DSA 436-1, a new bug was introduced into the stable version (woody) that can cause mailman to crash when processing certain malformed messages. This advisory (DSA 436-2) reportedly corrects that bug. For the current stable distribution (woody), the fix is available in version 2.0.11-1woody8.

Debian GNU/Linux 3.0 alias woody:

Source archives:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8.dsc
Size/MD5 checksum: 595 bef710bf0b5805d0946473c19ac42bbc
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8.diff.gz
Size/MD5 checksum: 31818 1f5fae277367b06965b2dc3d38fac895
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11.orig.tar.gz
Size/MD5 checksum: 415129 915264cb1ac8d7b78ea9eff3ba38ee04

Alpha architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_alpha.deb
Size/MD5 checksum: 461284 ea9daf95ebb6f6c15b64d93fc6a75dae

ARM architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_arm.deb
Size/MD5 checksum: 458966 89dc55b67c3f7b6156dfb93eeab2a209

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_i386.deb
Size/MD5 checksum: 458964 63db95b7687b1b8f6a222b49dde4e584

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_ia64.deb
Size/MD5 checksum: 461790 d651a19c06cba8ef5b12845df0cdf386

HP Precision architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_hppa.deb
Size/MD5 checksum: 459512 afddeae9eff5820d7de74ad6a6753d16

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_m68k.deb
Size/MD5 checksum: 459102 8266eaefb8e56631b3761e30e6bb3095

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_mips.deb
Size/MD5 checksum: 459502 9896dbddb5704e7ecf6de3524ab6d225

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody7_mipsel.deb
Size/MD5 checksum: 459336 a091672c96a16bfc42d807b4a2a99a11

PowerPC architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_powerpc.deb
Size/MD5 checksum: 459788 4ef14c3ee4845e039f1143e897f42c12

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_s390.deb
Size/MD5 checksum: 459790 b17c89f584242c502ff6b9ddac43814d

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_sparc.deb
Size/MD5 checksum: 464280 27935cf8280a793d24fe8ea188f77de4

Vendor URL:  www.gnu.org/software/mailman/mailman.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Debian)
Underlying OS Comments:  3.0

Message History:   This archive entry is a follow-up to the message listed below.
Jan 24 2003 Mailman List Software Input Validation Flaw in 'email' Variable Allows Remote Users to Conduct Cross-Site Scripting Attacks



 Source Message Contents

Subject:  [SECURITY] [DSA 436-2] New mailman packages fix bug introduced in DSA 436-1



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 436-2                     security@debian.org
http://www.debian.org/security/                             Matt Zimmerman
February 21st, 2004                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mailman
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE Ids        : CAN-2003-0991 CAN-2003-0965 CAN-2003-0038

Several vulnerabilities have been fixed in the mailman package:

 - CAN-2003-0038 - potential cross-site scripting via certain CGI
   parameters (not known to be exploitable in this version)

 - CAN-2003-0965 - cross-site scripting in the administrative
   interface

 - CAN-2003-0991 - certain malformed email commands could cause the
   mailman process to crash

The cross-site scripting vulnerabilities could allow an attacker to
perform administrative operations without authorization, by stealing a
session cookie.

In the process of fixing these vulnerabilities for DSA 436-1, a bug
was introduced which could cause mailman to crash on certain malformed
messages.

For the current stable distribution (woody) this problem has been
fixed in version 2.0.11-1woody8.

The update for the unstable distribution did not share the bug
introduced in DSA 436-1.

We recommend that you update your mailman package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8.dsc
      Size/MD5 checksum:      595 bef710bf0b5805d0946473c19ac42bbc
    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8.diff.gz
      Size/MD5 checksum:    31818 1f5fae277367b06965b2dc3d38fac895
    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11.orig.tar.gz
      Size/MD5 checksum:   415129 915264cb1ac8d7b78ea9eff3ba38ee04

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_alpha.deb
      Size/MD5 checksum:   461284 ea9daf95ebb6f6c15b64d93fc6a75dae

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_arm.deb
      Size/MD5 checksum:   458966 89dc55b67c3f7b6156dfb93eeab2a209

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_i386.deb
      Size/MD5 checksum:   458964 63db95b7687b1b8f6a222b49dde4e584

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_ia64.deb
      Size/MD5 checksum:   461790 d651a19c06cba8ef5b12845df0cdf386

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_hppa.deb
      Size/MD5 checksum:   459512 afddeae9eff5820d7de74ad6a6753d16

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_m68k.deb
      Size/MD5 checksum:   459102 8266eaefb8e56631b3761e30e6bb3095

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_mips.deb
      Size/MD5 checksum:   459502 9896dbddb5704e7ecf6de3524ab6d225

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody7_mipsel.deb
      Size/MD5 checksum:   459336 a091672c96a16bfc42d807b4a2a99a11

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_powerpc.deb
      Size/MD5 checksum:   459788 4ef14c3ee4845e039f1143e897f42c12

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_s390.deb
      Size/MD5 checksum:   459790 b17c89f584242c502ff6b9ddac43814d

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody8_sparc.deb
      Size/MD5 checksum:   464280 27935cf8280a793d24fe8ea188f77de4

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAN+LaArxCt0PiXR4RAr4tAJ9b6u4rcxBpm67FIfCVVxF1PHmDVgCghfST
gZeZw3WZTRbc9iZwIqe1hiE=
=Y0M7
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC